Several critical Linux vulnerabilities have been declared, involving a bug in CUPS, the Common UNIX Printing System. All versions of Red Hat Enterprise Linux (RHEL) are among the Linux distributions affected, but not in default configuration.
There are four vulnerabilities that have been identified and allocated the following CVEs – CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177. It is anticipated that additional CVEs will follow.
The CVEs were originally reported by Simone Margaritelli, a well-known computer security researcher and creator of numerous tools used in cyber security. He first posted about the CVEs on X on September 23, claiming they have a CVSS score of 9.9/10 and later detailed the CVEs on September 26.
Impact:
Margaritelli claimed that three weeks ago he discovered a Remote Code Execution (RCE) unauthenticated vulnerability that affects all GNU/Linux systems.
The four CVEs are within OpenPrinting CUPS, an open source printing system that is prevalent in most modern Linux distributions and provides tools to manage, discover and share printers for Linux distributions. By chaining these four vulnerabilities together, an attacker could potentially achieve remote code execution, allowing them to steal sensitive data or damage critical production systems.
Red Hat has commented, saying that for Red Hat Enterprise Linux (RHEL) this can be executed by the following events:
- The cups-browsed service has manually been enabled or started
- An attacker has access to a vulnerable server, which
a) Allows unrestricted access, such as the public internet, or
b) Gains access to an internal network where local connections are trusted. - Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
- A potential victim attempts to print from the malicious device
- Attacker executes arbitrary code on victim’s machine
Upwind researchers would like to note that even without unrestricted access as listed in step 2 of the Red Hat scenario, if UDP Port 631 is exposed, the attack can be carried out.
Affected Versions:
CVE-2024-47176- Package-name –
cups-browsed - version <= 2.0.1
- Description: Binds on
UDP INADDR_ANY:631trusting any packet from any source to trigger aGet-Printer-AttributesIPP request to an attacker controlled URL.
- Package-name –
CVE-2024-47076- Package-name –
libcupsfilters - version <= 2.1b1
- Description:
cfGetPrinterAttributes5does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of theCUPSsystem.
- Package-name –
CVE-2024-47175- Package-name –
libppd - version <= 2.1b1
- Description:
ppdCreatePPDFromIPP2does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
- Package-name –
CVE-2024-47177- Package-name –
cups-filters - version <= 2.0.1
- Description:
foomatic-ripallows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
- Package-name –
This file collected by Margaritelli contains a list of all the affected Linux versions.
How to Mitigate the CUPS Vulnerability
If your system is affected by the CUPS vulnerability, follow these steps to completely remove and mitigate the associated risks:
1. Stop and Disable the CUPS Service:
The first step is to stop the CUPS service and disable it to prevent it from restarting.
sudo systemctl stop cups
sudo systemctl disable cupsCopied
2. Stop and Disable the cups-browsed Service:
Next, stop and disable the cups-browsed service, which is commonly used for network printer discovery.
sudo systemctl stop cups-browsed
sudo systemctl disable cups-browsedCopied
3. Remove CUPS Packages:
Uninstall CUPS and any related packages using your system’s package manager. The command varies depending on your Linux distribution:
For Debian/Ubuntu-based systems:
sudo apt-get purge --auto-remove cups cups-browsedCopied
For RHEL/CentOS/Fedora-based systems:
sudo yum remove cups cups-browsedCopied
For Arch-based systems:
sudo pacman -Rns cups cups-browsedCopied
4. Remove CUPS Configuration Files:
Even after removing CUPS, configuration files may remain. These should be manually deleted:
sudo rm -rf /etc/cupsCopied
5. Remove User Data:
If you’ve set up printers or other user-specific configurations, remove the associated user data:
sudo rm -rf /var/spool/cups
sudo rm -rf /var/cache/cupsCopied
6. Clean Up Residual Dependencies:
After uninstalling CUPS, there may be leftover packages and dependencies. You can clean these up using the appropriate package manager command:
For Debian/Ubuntu-based systems:
sudo apt-get autoremoveCopied
For RHEL/CentOS/Fedora-based systems:
sudo yum autoremoveCopied
7. Block Traffic to UDP Port 631 and DNS-SD:
CUPS relies on UDP port 631 for the Internet Printing Protocol (IPP) and DNS-SD (mDNS) for printer discovery. To further protect your system, block traffic to these ports using iptables or ufw.
Using iptables:
Block all traffic to UDP port 631:
sudo iptables -A INPUT -p udp --dport 631 -j DROPCopied
Optionally, block DNS-SD traffic (used by CUPS for service discovery, mDNS on port 5353):
sudo iptables -A INPUT -p udp --dport 5353 -j DROPCopied
Using ufw (Uncomplicated Firewall):
sudo ufw deny 631/udp
sudo ufw deny 5353/udpCopied
Conclusion
By following these steps, you will completely remove CUPS and its related components from your system, ensuring protection from the vulnerability. Don’t forget to update your system regularly and monitor any services that could pose a security risk. For additional assistance from the Upwind team, contact us at [email protected].
